Release 1.25.8

.drone.yml

@@ -39,7 +39,7 @@ steps:
       # Disable go linting, we use the one included in the go image
       VALIDATE_GO: "false"
       # Exclude template files from linting. The linter does not understand Go template.
-      FILTER_REGEX_EXCLUDE: (templates/distribution/)
+      FILTER_REGEX_EXCLUDE: (templates/)
     depends_on:
       - license-check
       - schema-check

Furyfile.yml

@@ -4,10 +4,10 @@
 
 ---
 versions:
-  auth: v0.0.3
-  aws: v3.0.0
-  dr: v2.0.0
-  ingress: v2.0.0
+  auth: v0.0.4
+  aws: v4.0.0
+  dr: v2.1.0
+  ingress: v2.1.0
   logging: v3.1.3
   monitoring: v2.1.0
   opa: v1.8.0

Makefile

@@ -73,6 +73,11 @@ generate-go-models: dump-private-schema
 		--resolve-extension json \
 		--output pkg/apis/kfddistribution/v1alpha2/public/schema.go \
 		schemas/public/kfddistribution-kfd-v1alpha2.json
+	@go-jsonschema \
+		--package public \
+		--resolve-extension json \
+		--output pkg/apis/onpremises/v1alpha2/public/schema.go \
+		schemas/public/onpremises-kfd-v1alpha2.json
 
 dump-private-schema:
 	@cat schemas/public/ekscluster-kfd-v1alpha2.json | \

README.md

@@ -7,8 +7,8 @@
 <p align="center">Kubernetes Fury Distribution (KFD) is a certified battle-tested Kubernetes distribution based purely on upstream Kubernetes.</p>
 <!-- markdownlint-enable MD033 -->
 
-[![Build Status](http://ci.sighup.io/api/badges/sighupio/fury-distribution/status.svg?ref=refs/tags/v1.25.7)](http://ci.sighup.io/sighupio/fury-distribution)
-[![Release](https://img.shields.io/badge/release-v1.25.7-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest)
+[![Build Status](http://ci.sighup.io/api/badges/sighupio/fury-distribution/status.svg?ref=refs/tags/v1.25.8)](http://ci.sighup.io/sighupio/fury-distribution)
+[![Release](https://img.shields.io/badge/release-v1.25.8-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest)
 [![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack)](https://kubernetes.slack.com/archives/C0154HYTAQH)
 [![License](https://img.shields.io/github/license/sighupio/fury-distribution)](https://github.com/sighupio/fury-distribution/blob/main/LICENSE)
 
@@ -95,17 +95,10 @@ Current supported versions of KFD are:
 
 |                                  KFD Version                                   | Kubernetes Version |
 | :----------------------------------------------------------------------------: | :----------------: |
-| [`1.25.7`](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.7) |      `1.25.x`      |
+| [`1.25.8`](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.8) |      `1.25.x`      |
 | [`1.24.1`](https://github.com/sighupio/fury-distribution/releases/tag/v1.24.1) |      `1.24.x`      |
 | [`1.23.4`](https://github.com/sighupio/fury-distribution/releases/tag/v1.23.3) |      `1.23.x`      |
 
-| Installer / KFD Version                                                |       1.25.7       |       1.24.1       |       1.23.4       |
-| ---------------------------------------------------------------------- | :----------------: | :----------------: | :----------------: |
-| [on-premises](https://github.com/sighupio/fury-kubernetes-on-premises) | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| [EKS](https://github.com/sighupio/fury-eks-installer)                  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| [GKE](https://github.com/sighupio/fury-gke-installer)                  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| [AKS](https://github.com/sighupio/fury-aks-installer)                  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-
 Check the [compatibility matrix][compatibility-matrix] for additional information about previous releases of the Distribution and the compatibility with `furyctl`.
 
 Also, check the [versioning documentation file][versioning] to know more about the versioning scheme of the distribution and the upgrade path.
@@ -147,7 +140,7 @@ KFD is open-source software and it's released under the following [LICENSE](LICE
 [monitoring-version]: https://img.shields.io/badge/release-v2.1.0-blue
 [dr-version]: https://img.shields.io/badge/release-v2.0.0-blue
 [opa-version]: https://img.shields.io/badge/release-v1.8.0-blue
-[auth-version]: https://img.shields.io/badge/release-v0.0.3-blue
+[auth-version]: https://img.shields.io/badge/release-v0.0.4-blue
 
 <!-- Addon Modules -->
 [kong-module]: https://github.com/sighupio/fury-kubernetes-kong

defaults/ekscluster-kfd-v1alpha2.yaml

@@ -174,6 +174,9 @@ data:
           dex:
             host: ""
             ingressClass: ""
+          gangway: # only needed as default
+            host: ""
+            ingressClass: ""
         tolerations: null
       provider:
         # can be none, basicAuth or sso. SSO uses pomerium+dex
@@ -194,6 +197,9 @@ data:
       dex:
         # see dex documentation for more information
         connectors: []
+      oidcKubernetesAuth: # only needed as default
+        enabled: false
+      baseDomain: ""
 
 templates:
   includes:

defaults/kfddistribution-kfd-v1alpha2.yaml

@@ -161,6 +161,9 @@ data:
           dex:
             host: ""
             ingressClass: ""
+          gangway: # only needed as default
+            host: ""
+            ingressClass: ""
         tolerations: null
       provider:
         # can be none, basicAuth or sso. SSO uses pomerium+dex
@@ -181,6 +184,9 @@ data:
       dex:
         # see dex documentation for more information
         connectors: []
+      oidcKubernetesAuth: # only needed as default
+        enabled: false
+      baseDomain: ""
 
 templates:
   includes:

defaults/onpremises-kfd-v1alpha2.yaml

@@ -0,0 +1,196 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+data:
+  customPatches:
+    configMapGenerator: []
+    secretGenerator: []
+    patches: []
+    patchesStrategicMerge: []
+  # the common section will be used by all the templates in all modules, everything defined here is something used by all the KFD modules.
+  common:
+    # where all the KFD modules are downloaded
+    relativeVendorPath: "../../vendor"
+    provider:
+      type: none
+
+  # the module section will be used to fine tune each module behaviour and configuration
+  modules:
+    # ingress module configuration
+    ingress:
+      overrides:
+        nodeSelector: null
+        tolerations: null
+        # override ingresses parameters
+        ingresses:
+          forecastle:
+            # disable authentication if set globally on auth module
+            disableAuth: false
+            # if empty, will use the default packageName + baseDomain from common configurations
+            host: ""
+            ingressClass: ""
+
+      baseDomain: example.dev
+      dns:
+        public:
+          name: ""
+          # if create is false, a data source will be used to get the public DNS, otherwise a public zone will be created
+          create: false
+        # private is used only when ingress.nginx.type is "dual"
+        private:
+          # required to be set by the user, ex: internal.fury-demo.sighup.io
+          name: ""
+          create: true
+          # internal field, should be either the VPC ID taken from the kubernetes
+          # phase or the ID of the created VPC in the Ifra phase
+          vpcId: ""
+      # common configuration for nginx ingress controller
+      nginx:
+        # can be single or dual
+        type: single
+        tls:
+          # can be certManager, secret or none
+          provider: certManager # it uses the configuration below as default when certManager is chosen
+          secret: #if we want to use custom certificates, the template should create a secret and set it as default certificate in NGINX, so patch nginx deployment accordingly
+            cert: |
+              value
+            key: |
+              value
+            ca: |
+              value
+      # the standard configuration for cert-manager on the ingress module
+      certManager:
+        # to create the clusterIssuer, this is an additional clusterIssuer than the two provided by cert-manager, for simplicity
+        clusterIssuer:
+          name: letsencrypt-fury
+          email: engineering+fury-distribution@sighup.io
+          type: null
+    # logging module configuration
+    logging:
+      overrides:
+        nodeSelector: null
+        tolerations: null
+        ingresses:
+          opensearchDashboards:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
+          cerebro:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
+          minio:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
+      # can be opensearch or loki
+      type: opensearch
+      opensearch:
+        # can be single or triple
+        type: single
+        # if set, it will override the volumeClaimTemplates in the opensearch statefulSet
+        storageSize: 150Gi
+      minio:
+        # define the size for each minio disk, total disks to be created: 6
+        storageSize: 20Gi
+      # override ingresses parameters
+    # monitoring module configuration
+    monitoring:
+      overrides:
+        nodeSelector: null
+        tolerations: null
+        # override ingresses parameters
+        ingresses:
+          prometheus:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
+          alertmanager:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
+          grafana:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
+      prometheus:
+        retentionTime: 30d
+        retentionSize: 120GB
+        storageSize: 150Gi
+      alertmanager:
+        deadManSwitchWebhookUrl: ""
+        slackWebhookUrl: ""
+    # networking module configuration
+    networking:
+      overrides:
+        nodeSelector: null
+        tolerations: null
+    # policy module configuration
+    policy:
+      overrides:
+        nodeSelector: null
+        tolerations: null
+        # override ingresses parameters
+        ingresses:
+          gpm:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
+      # the standard configuration for gatekeeper on the policy module
+      gatekeeper:
+        # this configuration adds namespaces to the excluded list, actually whitelisting them
+        additionalExcludedNamespaces: []
+    # dr module configuration
+    dr:
+      overrides:
+        nodeSelector: null
+        tolerations: null
+      # the standard configuration for velero on the dr module
+      velero: {}
+    # auth module configuration
+    auth:
+      overrides:
+        nodeSelector: null
+        # override ingresses parameters
+        ingresses:
+          pomerium:
+            # disableAuth: false <- This doesn't make sense here.
+            host: ""
+            ingressClass: ""
+          dex:
+            host: ""
+            ingressClass: ""
+          gangway:
+            host: ""
+            ingressClass: ""
+        tolerations: null
+      provider:
+        # can be none, basicAuth or sso. SSO uses pomerium+dex
+        type: none
+        basicAuth:
+          username: admin
+          password: admin
+      pomerium:
+        policy: ""
+        secrets:
+          # override environment variables here
+          ##COOKIE_SECRET is obtained with  `head -c32 /dev/urandom | base64` see https://www.pomerium.io/reference/#cookie-secret
+          COOKIE_SECRET: ""
+          ##IDP_CLIENT_SECRET is the secret configured in the pomerium Dex static client
+          IDP_CLIENT_SECRET: ""
+          ##SHARED_SECRET is obtained with  `head -c32 /dev/urandom | base64` see https://www.pomerium.io/reference/#shared-secret
+          SHARED_SECRET: ""
+      dex:
+        # see dex documentation for more information
+        connectors: []
+      oidcKubernetesAuth:
+        enabled: false
+      baseDomain: ""
+
+templates:
+  includes:
+    - ".*\\.yaml"
+    - ".*\\.yml"
+  suffix: ".tpl"
+  processFilename: true

docs/COMPATIBILITY_MATRIX.md

@@ -10,7 +10,8 @@ For a complete list of all KFD releases and their compatibility with Kubernetes
 
 | KFD / Kubernetes Version                                                      |       1.25.X       |       1.24.X       |       1.23.X       |
 | ----------------------------------------------------------------------------- | :----------------: | :----------------: | :----------------: |
-| [v1.25.6](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.7) | :white_check_mark: |                    |                    |
+| [v1.25.8](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.8) | :white_check_mark: |                    |                    |
+| [v1.25.7](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.7) | :white_check_mark: |                    |                    |
 | [v1.25.6](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.6) | :white_check_mark: |                    |                    |
 | [v1.25.5](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.5) | :white_check_mark: |                    |                    |
 | [v1.25.4](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.4) | :white_check_mark: |                    |                    |
@@ -32,24 +33,25 @@ For a complete list of all KFD releases and their compatibility with Kubernetes
 |     :warning:      | Has known issues |
 |        :x:         | Incompatible     |
 
+### Warnings
+
+- :x: version `v1.23.0` has a known bug that breaks upgrades. Do not use.
+
 ### Furyctl and KFD compatibility
 
-| Furyctl / KFD  | 1.25.7             | 1.25.6             | 1.25.5             | 1.25.4             | 1.25.3             | 1.25.2             |
-| -------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ |
-| 0.25.2         | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |                    |
-| 0.25.1         | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |                    |
-| 0.25.0         | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |                    |
-| 0.25.0-beta.0  |                    |                    |                    |                    | :white_check_mark: |                    |
-| 0.25.0-alpha.1 |                    |                    |                    |                    |                    | :white_check_mark: |
+| Furyctl / KFD  | 1.25.8             | 1.25.7             | 1.25.6             | 1.25.5             | 1.25.4             | 1.25.3             | 1.25.2             |
+| -------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ |
+| 0.26.2         | :white_check_mark: |                    |                    |                    |                    |                    |                    |
+| 0.25.2         |                    | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |                    |
+| 0.25.1         |                    | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |                    |
+| 0.25.0         |                    | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |                    |
+| 0.25.0-beta.0  |                    |                    |                    |                    |                    | :white_check_mark: |                    |
+| 0.25.0-alpha.1 |                    |                    |                    |                    |                    |                    | :white_check_mark: |
 
 See [Furyctl](https://github.com/sighupio/furyctl) repository for more informations on it's usage.
 
 > We suggest to always use the latest furyctl and KFD versions available
 
-### Warnings
-
-- :x: version `v1.23.0` has a known bug that breaks upgrades. Do not use.
-
 ## Unmaintained releases 🗄️
 
 In the following table, you can check the compatibility of KFD releases that are not maintained anymore with older Kubernetes versions.

docs/releases/v1.25.8.md

@@ -0,0 +1,33 @@
+# Kubernetes Fury Distribution Release v1.25.8
+
+Welcome to KFD release `v1.25.8`.
+
+The distribution is maintained with ❤️ by the team [SIGHUP](https://sighup.io/) it is battle tested in production environments.
+
+With this release, OnPremises and Plugins feature
+
+## New Features since `v1.25.7`
+
+### Core Module Updates
+
+- [ingress](https://github.com/sighupio/fury-kubernetes-ingress) 📦 core module: v2.0.0 -> [**v2.1.0**](https://github.com/sighupio/fury-kubernetes-ingress/releases/tag/v2.1.0)
+  - Updated cert-manager from `1.11.0` to `1.11.1`.
+  - Updated external-dns from `0.13.2` to `0.13.4`.
+  - Updated forecastle from `1.0.119` to `1.0.125`.
+  - Updated nginx from `1.5.1` to `1.7.1`.
+- [dr](https://github.com/sighupio/fury-kubernetes-dr) 📦 core module: v2.0.0 -> [**v2.1.0**](https://github.com/sighupio/fury-kubernetes-dr/releases/tag/v2.1.0)
+  - Updated velero from `1.10.1` to `1.11.0`.
+  - Updated all plugins from `1.6.1` to `1.7.0`.
+- [auth](https://github.com/sighupio/fury-kubernetes-auth) 📦 core module: v0.0.3 -> [**v0.0.4**](https://github.com/sighupio/fury-kubernetes-auth/releases/tag/v0.0.4)
+
+> Please refer the individual release notes for detailed information.
+
+### Fixes
+
+- Fix: wrong taint regex in public eks-cluster schema
+- Bump: fury-eks-installer version to v2.0.2
+- Bump: aws add-ons from version v3.0.0 to v4.0.0 to introduce eks add-ons compatibility
+
+## Upgrade procedure
+
+Check the [v1.25.7-to-v1.25.8 upgrade guide](../upgrades/v1.25.7-to-v1.25.8.md) for the detailed procedure.